Make system tokens work with domain-specific drivers
When calling certain group or user APIs, keystone logic would attempt to figure out the domain to scope responses to. This was specific to enabling domain-specific driver support, where each domain is backed by a different identity store. This functionality is turned off by default. Since system-scoped tokens are not associated to a domain (unlike project-scoped tokens or domain-scoped tokens), the logic to determine a domain from a system-scoped token was breaking and returning an erroneous HTTP 401 Unauthorized when system users attempted to list users or groups. This commit adds support for domain detection with system-scoped tokens. Conflicts: keystone/server/flask/common.py This backport has conflicts with keystone/server/flask/common.py due to the ``token_ref`` variable being renamed to ``token``. This conflict is resolved by continuing to use the old name, but the change is functionally equivalent to what was proposed to all other branches. This backport modifies the unit test to use the pre-flask-compatible self.admin_request method instead of flask's test_client() context manager. Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077 Closes-Bug: 1843609 (cherry picked from commit8f43b9cab0
) (cherry picked from commit417d2c0e6e
)
This commit is contained in:
parent
d57733f4e8
commit
65cb669e78
|
@ -505,6 +505,8 @@ class V3Controller(provider_api.ProviderAPIMixin, wsgi.Application):
|
|||
return token_ref.domain_id
|
||||
elif token_ref.project_scoped:
|
||||
return token_ref.project_domain_id
|
||||
elif token_ref.system_scoped:
|
||||
return
|
||||
else:
|
||||
msg = _('No domain information specified as part of list request')
|
||||
LOG.warning(msg)
|
||||
|
|
|
@ -2440,6 +2440,18 @@ class TokenAPITests(object):
|
|||
allow_expired=True,
|
||||
expected_status=http_client.NOT_FOUND)
|
||||
|
||||
def test_system_scoped_token_works_with_domain_specific_drivers(self):
|
||||
self.config_fixture.config(
|
||||
group='identity', domain_specific_drivers_enabled=True
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
self.user['id'], self.role['id']
|
||||
)
|
||||
|
||||
token_id = self.get_system_scoped_token()
|
||||
self.admin_request(method='GET', path='/v3/users', token=token_id)
|
||||
|
||||
|
||||
class TokenDataTests(object):
|
||||
"""Test the data in specific token types."""
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1843609 <https://bugs.launchpad.net/keystone/+bug/1843609>`]
|
||||
Fixed an issue where system-scoped tokens couldn't be used to list users
|
||||
and groups (e.g., GET /v3/users or GET /v3/groups) if ``keystone.conf
|
||||
[identity] domain_specific_drivers_enabled=True`` and the API would
|
||||
return an ``HTTP 401 Unauthorized``. These APIs now recognize
|
||||
system-scoped tokens when using domain-specific drivers.
|
Loading…
Reference in New Issue